Samba is a re-implementation of the SMB networking protocol. It facilitates file and printer sharing among Linux and Windows systems as an alternative to NFS. This article provides instructions for users on how to setup Samba.

Add your user to the sambashare group. Replace your_username with the name of your user:

# gpasswd sambashare -a your_username

Restart smb.service and nmb.service services.

Log out and log back in. You should now be able to configure your samba share using GUI. For example, in Thunar you can right click on any directory and share it on the network. If you want to share paths inside your home directory you must make it listable for the group others.

Adding a user

Samba requires a Linux user account - you may use an existing user account or create a new one.

Although the user name is shared with Linux system, Samba uses a password separate from that of the Linux user accounts. Replace samba_user with the chosen Samba user account:

List public shares

The following command lists public shares on a server:

$ smbclient -L hostname -U%

Alternatively, running smbtree will show a tree diagram of all the shares. This is not advisable on a network with a lot of computers, but can be helpful for diagnosing if you have the correct sharename.

$ smbtree -b -N

Where the options are -b (--broadcast) to use broadcast instead of using the master browser and -N (-no-pass) to not ask for a password.

NetBIOS/WINS host names

You may need to startwinbind.service in order to resolve host names with e.g., mount.cifs

The smbclient package provides a driver to resolve host names using WINS. To enable it, add wins to the “hosts” line in /etc/nsswitch.conf.

Disable NetBIOS/WINS support

When not using NetBIOS/WINS host name resolution, it may be preferred to disable this protocol:

As systemd unit

Note: Make sure the filename corresponds to the mountpoint you want to use.
E.g. the unit name mnt-myshare.mount can only be used if are going to mount the share under /mnt/myshare. Otherwise the following error might occur: systemd[1]: mnt-myshare.mount: Where= setting does not match unit name. Refusing..

Note: If you want to use a hostname for the server you want to share (instead of an IP address), add systemd-resolved.service to After and Wants. This might avoid mount errors at boot time that do not arise when testing the unit.

Other graphical environments

There are a number of useful programs, but they may need to have packages created for them. This can be done with the Arch package build system. The good thing about these others is that they do not require a particular environment to be installed to support them, and so they bring along less baggage.

LinNeighborhood, RUmba, xffm-samba plugin for Xffm are not available in the official repositories or the AUR. As they are not officially (or even unofficially supported), they may be obsolete and may not work at all.

Tips and tricks

Disable SMB1 protocol for better security

SMB1 protocol is considered a security risk and most clients at least support SMB2. So it makes sense to deny connection attempts to the server via SMB1 protocol:

/etc/samba/smb.conf

[global]
server min protocol = SMB2

Improve performance

It is possible to improve performance, however this may lead to corruption and/or connection issues.

Read the smb.conf(5) man page before applying any of the options listed below.

Note: Network-interface adjustments may be needed for some options to work, see Sysctl#Networking.

Block certain file extensions on Samba share

Note: Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned.

Samba offers an option to block files with certain patterns, like file extensions. This option can be used to prevent dissemination of viruses or to dissuade users from wasting space with certain files. More information about this option can be found in smb.conf(5).

Build Samba without CUPS

Samba has built-in support [for CUPS] and defaults to CUPS if the development package (aka header files and libraries) could be found at compile time.

Of course, modifications to the PKGBUILD will also be necessary: libcups will have to be removed from the depends and makedepends arrays and other references to cups and printing will need to be deleted. In the case of the 4.1.9-1 PKGBUILD, 'other references' includes lines 169, 170 and 236:

Windows clients keep asking for password even if Samba shares are created with guest permissions

A known Windows 7 bug that causes "mount error(12): cannot allocate memory" on an otherwise perfect cifs share on the Linux end can be fixed by setting a few registry keys on the Windows box as follows:

This error affects some machines running Windows 10 version 1709 and later. It is not related to SMB1 being disabled in this version but to the fact that Microsoft disabled insecure logons for guests on this version for some, but not others.

To fix, open Group Policy Editor (gpedit.msc). Navigate to Computer configuration\administrative templates\network\Lanman Workstation > Enable insecure guest logons and enable it.
Alternatively,change the following value in the registry:

Error: Failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL

If you are a home user and using samba purely for file sharing from a server or NAS, you are probably not interested in sharing printers through it. If so, you can prevent this error from occurring by adding the following lines to your /etc/samba/smb.conf:

Sharing a folder fails

It means that while you are sharing a folder from Dolphin (file manager) and everything seems ok at first, after restarting Dolphin the share icon is gone from the shared folder, and also some output like this in terminal (Konsole) output:

And you are using a firewall (iptables) because you do not trust your local (school, university, hotel) network. This may be due to the following: When the smbclient is browsing the local network it sends out a broadcast request on udp port 137. The servers on the network then reply to your client but as the source address of this reply is different from the destination address iptables saw when sending the request for the listing out, iptables will not recognize the reply as being "ESTABLISHED" or "RELATED", and hence the packet is dropped. A possible solution is to add:

"Browsing" network lead to an empty folder

Despite a working and well configured samba, browsing network for Windows shares using a gvfs based file manager (Nautilus, PCManFM, and others) it does only get an empty folder.
With samba 4.7 are changed the default protocols and this seems to cause problems with browsers.
For a temporary workaround you can add the following parameter in the smb.conf configuration file:

/etc/samba/smb.conf

...
[global]
client max protocol = NT1
...

Protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE

The client probably does not have access to shares. Make sure clients' IP address is in hosts allow = line in /etc/samba/smb.conf.

Connection to SERVER failed: (Error NT_STATUS_UNSUCCESSFUL)

You are probably passing wrong server name to smbclient. To find out the server name, run hostnamectl on the server and look at "Transient hostname" line

Connection to SERVER failed: (Error NT_STATUS_CONNECTION_REFUSED)

Make sure that the server has started. The shared directories should exist and be accessible.

See the mount.cifs(8) man page: ntlmssp - Use NTLMv2 password hashing encapsulated in Raw NTLMSSP message. The default in mainline kernel versions prior to v3.8 was sec=ntlm. In v3.8, the default was changed to sec=ntlmssp.

Mapping reserved Windows characters

Starting with kernel 3.18, the cifs module uses the "mapposix" option by default.
When mounting a share using unix extensions and a default Samba configuration, files and directories containing one of the seven reserved Windows characters : \ * < > ? are listed but cannot be accessed.